SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

TOP OF THE NEWS

The Center for Law and Technology at the University of California at Berkeley reviewed thousands of FTC complaints and identified the 25 financial institutions whose customers have experienced the most identity theft. Non financial institutions with FTC identity theft complaints were also identified. Bank of America was top on the financial institution list while AT&T was top on the non-financial list. -http://www.bankinfosecurity.com/articles.php?art_id=724 (subscription required) [Editor's Note (Schultz): Although this study has several flaws, it paves the way for more studies of this nature that put the spotlight institutions that ostensibly don't do enough to prevent identity theft. The likely effect is to exert pressure on these institutions to "clean up their act." ]

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Prison Time for Data Thieves (March 1, 2008)

Two people have received prison sentences for their roles in a data theft scheme that victimized patients of the Kelsey-Seybold Clinic in Houston, Texas. Former insurance analyst Kretia Lutriel Griffin stole personal data belonging to approximately 200 of the clinic's patients. She sold them to Aubry Johnson, who used the information to open charge accounts at various stores. Johnson was sentenced to seven years in prison for access device fraud and aggravated identity theft. Griffin received a two-year sentence for conspiracy. The clinic has notified patients whose data were compromised. A clinic spokesperson said that no medical data were involved. -http://www.chron.com/disp/story.mpl/headline/metro/5583753.html[Editor's Note (Liston): Even if you do everything right, you'll still always be susceptible to data theft by a malicious insider. These types of convictions and the hefty sentences imposed are the best deterrent that we have against those who would abuse their positions of trust.]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Encryption Pays Off for VA (March 3, 2008)

Security measures put in place at the Veterans Affairs department (VA) after the widely publicized theft of computer equipment in 2006 have proven to be effective. A laptop stolen last month from the home of an employee at the VA's Austin (TX) Corporate Data Center was encrypted, and department officials knew precisely what data were on the computer. The employee had permission to have the computer at home and had locked it down to furniture. -http://www.fcw.com/online/news/151810-1.html?type=pf[Editor's Note (Schultz): This is a wonderful information security success story. The VA appears to be very determined to greatly improve its practice of data security and is already reaping some benefits. (Cole): The weakest link with full disk encryption is the password used to protect the encryption keys. Organizations cannot claim they are protected just because they use full disk encryption. If your company does not have a robust password policy or two factor authentication, full disk encryption is only adding an illusion of security.]

More than 730,000 people who filed taxes returns with the Dutch tax office for 2007 will have to resubmit their information after a computer problem deleted all their data except for social security numbers. Those affected filed electronically; the Dutch tax office did not back up the files. A similar problem occurred last year when 400,000 companies had to resubmit payroll information. -http://www.theregister.co.uk/2008/02/29/sorry_we_lost_your_tax_return/print.html[Editor's Note (Liston): And their reason for not backing up the data would be...? ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Lawyer Admits to Snooping on Other Law Firm's Network (March 2, 2008)

A Charleston, West Virginia lawyer has admitted to accessing email and other private documents at the law firm where his wife worked. At first, he was suspicious that she was having an affair, but then admitted he kept accessing and reading the material because he was curious. He allegedly accessed the law firm's computer system more than 150 times between November 2003 and March 2006. Michael P. Markins was employed at another law firm at the time, and at one point, the two firms were representing opposing sides in a case. The Lawyer Disciplinary Board has recommended that Markins's law license be suspended for two years. Before he could be reinstated, he would have to complete 12 hours of legal education in ethics and then he would be subject to one year of supervised practice. -http://sundaygazettemail.com/News/200803010561[Editor's Note (Liston): I sincerely doubt that if the same situation occurred in any field outside the practice of law that the sanctions would be so ludicrously petty. Where's the jail time? ]

MISCELLANEOUS

Futures Trader Costs Firm US $141.5 Million (February 29, 2008)

A Tennessee man has allegedly made unauthorized trades in the wheat futures market that cost his firm US $141.5 million in losses. Evan Dooley's firm, MF Global, normally has electronic protections in place to prevent such situations, but the controls were deactivated for certain traders, Dooley among them, because they slowed down transactions. -http://www.iht.com/articles/2008/02/29/business/29trader.php

Universities continue to face a challenge in the balancing act of two diametrically opposed networking requirements. On one hand, IT services have must meet the requirements of delivering an open campus network with minimal restriction on use. And, on the other hand, you have networks and systems that maintain sensitive information that requires tight security controls, often under the scrutiny of specific regulatory mandates.

The past year has seen several web worm attacks against various online applications. While these worms have gotten more sophisticated and made use of additional technologies like Flash and other media formats, they all have had some basic limitations such as infecting new domains and using new injection methods. These worms are fairly easily detected using signatures, so they are annoying, but ultimately controllable. This webcast examines the possibility of hybrid web worms which use several methods to overcome the limitations of current web worms. Specifically the authors examine how a hybrid web worm (1) mutates itself to evade defenses; (2) updates itself with new attack vectors while in the wild; and (3) finds and exploits targets regardless of whether they are client web browsers or web servers.

This webcast will provide attendees with actionable advice on how to reduce their organization's risk against the Cold Boot Attack using encryption tools and real-world best practices. Hear responses from leading providers in the encryption market to gain better understanding of how these solutions can help mitigate or avoid the vulnerabilities associated with the Cold Boot Attack. Attendees will walk away with actionable advice on how this vulnerability can impact their organization and which encryption solutions can provide best-in-class protection from this and other security risks.

The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

When beginning a security process at a consortium of non-profits, senior network security engineer, Paul Asadoorian of Pauldotcom began looking for a penetration testing tool that did network, web application and social engineering tests. The tool he purchased is low on manpower use, mostly self-maintaining and reliably proves the existence of network vulnerabilities. Please attend this webcast to find out why Paul selected CORE IMPACT and learn how it can help you safely perform network, web application and end-user penetration testing.

Based on first-hand experience, this talk will look at areas where encryption should be used and how to avoid common mistakes. Dr. Cole will also identify areas where encryption should not be deployed. Overall, this talk will provide expert knowledge of the landscape of encryption, proper uses and common pitfalls. Register now for this free webcast!

The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.

Virtualization and on board service processors are making log management systems obsolete and opening their customers to huge compliance issues. All existing log management systems are based on an 'inside out' agent based, SYSLOG and SNMP architecture. This model is obsolete in today's datacenter. Traditional log management systems do not log all events or watch the data center all the time, opening the door to Sarbanes Oxley, HIPAA and other compliance risks.
=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/